// Helper: forward a request to platform-api using the signed-in operator's
// access token. Every operator proxy route uses this — it's the only place
// we touch the encrypted session.

import type { H3Event } from 'h3'
import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

const BASE = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'

export async function platformApi<T = unknown>(
  event: H3Event,
  path: string,
  init: { method?: string; body?: unknown; query?: Record<string, string | number | undefined> } = {},
): Promise<T> {
  const session = await getUserSession(event).catch(() => null)
  const accessToken = (session as { accessToken?: string } | null)?.accessToken
  if (!accessToken) {
    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
  }

  try {
    return (await $fetch(`${BASE}${path}`, {
      method: (init.method as 'GET' | 'POST' | 'PATCH' | 'DELETE') ?? 'GET',
      headers: { Authorization: `Bearer ${accessToken}` },
      body: init.body,
      query: init.query,
    })) as T
  } catch (err: unknown) {
    const e = err as { statusCode?: number; data?: unknown }
    throw createError({ statusCode: e.statusCode ?? 500, data: e.data })
  }
}